/*
 * Copyright 2002-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package cn.cloud.all.security.oauth2.client.authentication;

import cn.cloud.all.security.authentication.AuthenticationProvider;
import cn.cloud.all.security.core.*;
import cn.cloud.all.security.core.authority.GrantedAuthoritiesMapper;
import cn.cloud.all.security.core.endpoint.OAuth2AccessTokenResponse;
import cn.cloud.all.security.core.user.OAuth2User;
import cn.cloud.all.security.oauth2.client.userinfo.OAuth2UserRequest;
import cn.cloud.all.security.oauth2.client.userinfo.OAuth2UserService;
import cn.cloud.all.security.oauth2.endpoint.OAuth2AccessTokenResponseClient;
import cn.cloud.all.security.oauth2.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.util.Assert;

import java.util.Collection;
import java.util.Map;

public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider {
    private final OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
    private final OAuth2UserService<OAuth2UserRequest, OAuth2User> userService;
    private GrantedAuthoritiesMapper authoritiesMapper = (authorities -> authorities);

    /**
     * Constructs an {@code OAuth2LoginAuthenticationProvider} using the provided parameters.
     *
     * @param accessTokenResponseClient the client used for requesting the access token credential from the Token Endpoint
     * @param userService               the service used for obtaining the user attributes of the End-User from the UserInfo Endpoint
     */
    public OAuth2LoginAuthenticationProvider(OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient, OAuth2UserService<OAuth2UserRequest, OAuth2User> userService) {

        Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null");
        Assert.notNull(userService, "userService cannot be null");
        this.accessTokenResponseClient = accessTokenResponseClient;
        this.userService = userService;
    }

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2LoginAuthenticationToken authorizationCodeAuthentication = (OAuth2LoginAuthenticationToken) authentication;

        // Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
        // scope
        // 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
        if (authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest().getScopes().contains("openid")) {
            // This is an OpenID Connect Authentication Request so return null
            // and let OidcAuthorizationCodeAuthenticationProvider handle it instead
            return null;
        }

        OAuth2AccessTokenResponse accessTokenResponse;
        try {
            OAuth2AuthorizationExchangeValidator.validate(authorizationCodeAuthentication.getAuthorizationExchange());

            accessTokenResponse = this.accessTokenResponseClient.getTokenResponse(
                    new OAuth2AuthorizationCodeGrantRequest(
                            authorizationCodeAuthentication.getClientRegistration(),
                            authorizationCodeAuthentication.getAuthorizationExchange()));

        } catch (OAuth2AuthorizationException ex) {
            OAuth2Error oauth2Error = ex.getError();
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }

        OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken();
        Map<String, Object> additionalParameters = accessTokenResponse.getAdditionalParameters();

        OAuth2User oauth2User = this.userService.loadUser(new OAuth2UserRequest(
                authorizationCodeAuthentication.getClientRegistration(), accessToken, additionalParameters));

        Collection<? extends GrantedAuthority> mappedAuthorities =
                this.authoritiesMapper.mapAuthorities(oauth2User.getAuthorities());

        OAuth2LoginAuthenticationToken authenticationResult = new OAuth2LoginAuthenticationToken(
                authorizationCodeAuthentication.getClientRegistration(),
                authorizationCodeAuthentication.getAuthorizationExchange(),
                oauth2User,
                mappedAuthorities,
                accessToken,
                accessTokenResponse.getRefreshToken());
        authenticationResult.setDetails(authorizationCodeAuthentication.getDetails());

        return authenticationResult;
    }

    /**
     * Sets the {@link GrantedAuthoritiesMapper} used for mapping {@link OAuth2User#getAuthorities()}
     * to a new set of authorities which will be associated to the {@link OAuth2LoginAuthenticationToken}.
     *
     * @param authoritiesMapper the {@link GrantedAuthoritiesMapper} used for mapping the user's authorities
     */
    public final void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
        Assert.notNull(authoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = authoritiesMapper;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication);
    }
}
